Hi,
Could anyone help me with an image upload script that users can upload images and then they can be viewed in a main page etc. Im not sure if php is the right method to move but i think it is.

http://php-mysql-tutorial.com

http://www.php.net/manual/en/features.file-upload.php

Those two should be what you need. It's a complex project, but that will do what you need.

Additionally, the GD library (a set of functions) in PHP will allow image manipulation if needed, such as resizing, etc.

Heres what I think about image uploading with PHP. Its easy to implement, but the hard part is keeping it secure. I once had an image upload script, 4 weeks down the line there was some mysterious PHP files placed there.

That's a good point. If you are careful with creating the right security, that should be preventable, though.
But do look into possible security holes.

Most importantly, before saving anything to your site (uploaded files in a temp location that isn't available to anyone for use until you 'move' it to the final place), you should be sure to verify both the file extension and that it is, indeed, the right type of content. Using getimagesize() will be the easiest way to check if a variable (the file will be stored as one) is actually a valid image.

getimagesize() is good for that, I would also implement a few other security practices here. Checking the extension is useless, since that could be spoofed easy enough, also checking the $_FILES['type'] is useless, since that is sent from the browser and spoofed as well.

What I would recommend (depending if you have php4 or php5) is use the dev-php4/pecl-fileinfo or dev-php5/pecl-fileinfo. With this you could do a server-side check on the file MIME type while it's in /tmp before moving it to its location in the end.

I would also recommend moving the file into a database as a BLOB or move the physical file above the webroot. That way a bad guy couldn't browse right to it with his browser and execute a PHP file he was able to get it on the server. You would then fopen the file and change the header() to display the image.

These are all complicated processes, but allowing uploads to the public is a risky venture. One of the first steps of any hack is to get malicious payload to the server and execute it. From there.. it's game over. So keep security in mind when developing and take your time doing your research.

hanji

Another way to verify image is using the exif functions. This will need to be compiled into your PHP build, but might already be there (view phpinfo() to see).


$imgTypeConstants = array(
IMAGETYPE_GIF,
IMAGETYPE_JPEG,
IMAGETYPE_PNG,
IMAGETYPE_BMP,
IMAGETYPE_TIFF_II,
IMAGETYPE_TIFF_MM);
if($checkImage && function_exists('exif_imagetype')){
foreach($imgTypeConstants as $constantVal){
if(exif_imagetype($_FILES[$fieldName]['tmp_name']) == $constantVal){
$IMAGE_type_check = true;
break;
}
}
$MIME_type_pass = ($IMAGE_type_check ? true : false);
}

This is part of a 'checker' function I have to validate image using exif. Do you have access to the server? There are many serverside features that could help lock down unwanted script uploads (ie: mod_security, suhosin hardened php patch, etc)

hanji